Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

svchost.exe traffic has been blocked by SEP Netowork Threat Protection

  • 1.  svchost.exe traffic has been blocked by SEP Netowork Threat Protection

    Posted Dec 30, 2012 08:46 AM

    https://www-secure.symantec.com/connect/forums/traffic-has-been-blocked-svchostexe 

    I have been having a problem with my SEP Threat Detection.  It seems that every 4 minutes I receive a notification from SEP that it has blocked svchost.exe. 

    This is a clean computer, I have scanned with antivirus software and antimalware software since this has happened.  The problem arose when I decided to switch from Avast antivirus software to SEP as my school has allowed me to download the latest version of it.

    I have a Windows 7 Pro, SEP version 12.1.1000.157 RU1. 

    The pop up notifications are annoying, and I know I dont have a virus.  So I consulted https://www-secure.symantec.com/connect/forums/traffic-has-been-blocked-svchostexe.  They told me to disable ip6.  I did.  It seems like my problems are coming from IP4 as you can see by my threat log:

    12/30/2012 8:37:56 AM    Blocked    3    Outgoing    UDP    239.255.255.250    01-00-5E-7F-FF-FA    1900    192.168.0.143    00-10-18-EA-74-75    1900    C:\Windows\System32\svchost.exe    LOCAL SERVICE    NT AUTHORITY    Default    18    12/30/2012 8:36:54 AM    12/30/2012 8:37:00 AM    Block UPnP Discovery    
    12/30/2012 8:37:00 AM    Allowed    3    Incoming    UDP    0.0.0.0    78-A3-E4-11-C5-87    68    255.255.255.255    FF-FF-FF-FF-FF-FF    67        Admin    Argh0812    Default    1    12/30/2012 8:35:59 AM    12/30/2012 8:35:59 AM    Allow BOOTP protocol    
    12/30/2012 8:37:00 AM    Allowed    3    Incoming    UDP    192.168.0.1    00-1B-11-56-C2-35    67    255.255.255.255    FF-FF-FF-FF-FF-FF    68        Admin    Argh0812    Default    1    12/30/2012 8:35:59 AM    12/30/2012 8:35:59 AM    Allow BOOTP protocol    
    12/30/2012 8:36:49 AM    Allowed    3    Outgoing    IP    239.255.255.250    01-00-5E-7F-FF-FA    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:35:48 AM    12/30/2012 8:35:48 AM    Allow IGMP traffic    
    12/30/2012 8:36:49 AM    Allowed    3    Outgoing    IP    224.0.0.251    01-00-5E-00-00-FB    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:35:48 AM    12/30/2012 8:35:48 AM    Allow IGMP traffic    
    12/30/2012 8:36:43 AM    Allowed    3    Outgoing    IP    224.0.0.252    01-00-5E-00-00-FC    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:35:42 AM    12/30/2012 8:35:42 AM    Allow IGMP traffic    
    12/30/2012 8:36:43 AM    Allowed    3    Incoming    IP    192.168.0.1    00-1B-11-56-C2-35    NA    224.0.0.1    01-00-5E-00-00-01    NA        Admin    Argh0812    Default    1    12/30/2012 8:35:42 AM    12/30/2012 8:35:42 AM    Allow IGMP traffic    
    12/30/2012 8:35:09 AM    Allowed    3    Incoming    UDP    192.168.0.1    00-1B-11-56-C2-35    1900    239.255.255.250    01-00-5E-7F-FF-FA    1900        Admin    Argh0812    Default    42    12/30/2012 8:34:07 AM    12/30/2012 8:34:13 AM    Allow UPnP Discovery from private IP addresses    
    12/30/2012 8:34:41 AM    Allowed    3    Outgoing    IP    239.255.255.250    01-00-5E-7F-FF-FA    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:33:39 AM    12/30/2012 8:33:39 AM    Allow IGMP traffic    
    12/30/2012 8:34:41 AM    Allowed    3    Incoming    IP    192.168.0.102    A4-EE-57-4E-D4-A6    NA    224.0.0.252    01-00-5E-00-00-FC    NA        Admin    Argh0812    Default    1    12/30/2012 8:33:39 AM    12/30/2012 8:33:39 AM    Allow IGMP traffic    
    12/30/2012 8:34:35 AM    Allowed    3    Outgoing    IP    224.0.0.251    01-00-5E-00-00-FB    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:33:34 AM    12/30/2012 8:33:34 AM    Allow IGMP traffic    
    12/30/2012 8:34:35 AM    Allowed    3    Incoming    IP    192.168.0.1    00-1B-11-56-C2-35    NA    224.0.0.1    01-00-5E-00-00-01    NA        Admin    Argh0812    Default    1    12/30/2012 8:33:34 AM    12/30/2012 8:33:34 AM    Allow IGMP traffic    
    12/30/2012 8:32:38 AM    Allowed    3    Outgoing    IP    224.0.0.252    01-00-5E-00-00-FC    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:31:37 AM    12/30/2012 8:31:37 AM    Allow IGMP traffic    
    12/30/2012 8:32:38 AM    Allowed    3    Outgoing    IP    239.255.255.250    01-00-5E-7F-FF-FA    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:31:37 AM    12/30/2012 8:31:37 AM    Allow IGMP traffic    
    12/30/2012 8:32:33 AM    Allowed    3    Incoming    IP    192.168.0.122    68-A8-6D-B7-37-A9    NA    224.0.0.251    01-00-5E-00-00-FB    NA        Admin    Argh0812    Default    1    12/30/2012 8:31:31 AM    12/30/2012 8:31:31 AM    Allow IGMP traffic    
    12/30/2012 8:32:33 AM    Allowed    3    Incoming    IP    192.168.0.102    A4-EE-57-4E-D4-A6    NA    224.0.0.251    01-00-5E-00-00-FB    NA        Admin    Argh0812    Default    1    12/30/2012 8:31:31 AM    12/30/2012 8:31:31 AM    Allow IGMP traffic    
    12/30/2012 8:32:33 AM    Allowed    3    Incoming    IP    192.168.0.1    00-1B-11-56-C2-35    NA    224.0.0.1    01-00-5E-00-00-01    NA        Admin    Argh0812    Default    1    12/30/2012 8:31:31 AM    12/30/2012 8:31:31 AM    Allow IGMP traffic    
    12/30/2012 8:30:36 AM    Allowed    3    Incoming    UDP    192.168.0.148    00-17-A4-6F-1A-F0    1900    239.255.255.250    01-00-5E-7F-FF-FA    1900        Admin    Argh0812    Default    10    12/30/2012 8:29:34 AM    12/30/2012 8:29:34 AM    Allow UPnP Discovery from private IP addresses    
    12/30/2012 8:30:36 AM    Allowed    3    Incoming    IP    192.168.0.102    A4-EE-57-4E-D4-A6    NA    224.0.0.252    01-00-5E-00-00-FC    NA        Admin    Argh0812    Default    1    12/30/2012 8:29:34 AM    12/30/2012 8:29:34 AM    Allow IGMP traffic    
    12/30/2012 8:30:30 AM    Allowed    3    Incoming    TCP    192.168.0.1    00-1B-11-56-C2-35    28983    192.168.0.143    00-10-18-EA-74-75    2869    C:\Windows\system32\NTOSKRNL.EXE    Admin    Argh0812    Default    1    12/30/2012 8:29:29 AM    12/30/2012 8:29:29 AM    Allow SSDP from private IP addresses    
    12/30/2012 8:30:30 AM    Allowed    3    Incoming    IP    192.168.0.146    00-25-00-3A-C8-2E    NA    224.0.0.251    01-00-5E-00-00-FB    NA        Admin    Argh0812    Default    1    12/30/2012 8:29:29 AM    12/30/2012 8:29:29 AM    Allow IGMP traffic    
    12/30/2012 8:30:30 AM    Blocked    3    Outgoing    UDP    239.255.255.250    01-00-5E-7F-FF-FA    1900    192.168.0.143    00-10-18-EA-74-75    1900    C:\Windows\System32\svchost.exe    LOCAL SERVICE    NT AUTHORITY    Default    18    12/30/2012 8:29:29 AM    12/30/2012 8:29:34 AM    Block UPnP Discovery    
    12/30/2012 8:30:30 AM    Allowed    3    Outgoing    IP    224.0.0.22    01-00-5E-00-00-16    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    12    12/30/2012 8:29:29 AM    12/30/2012 8:29:29 AM    Allow IGMP traffic    
     

     

    Please help me find a resolution ASAP!  Thank you so much for your time.  I am brand new to Nortion, so please go into descriptions if you find a solution.  Thank you!



  • 2.  RE: svchost.exe traffic has been blocked by SEP Netowork Threat Protection
    Best Answer

    Posted Dec 30, 2012 09:01 AM

    Is this an unmanaged client? It sounds like it is.

    12/30/2012 8:37:56 AM    Blocked    3    Outgoing    UDP    239.255.255.250    01-00-5E-7F-FF-FA    1900    192.168.0.143    00-10-18-EA-74-75    1900    C:\Windows\System32\svchost.exe    LOCAL SERVICE    NT AUTHORITY    Default    18    12/30/2012 8:36:54 AM    12/30/2012 8:37:00 AM    Block UPnP Discovery

    It's legitimate traffic that is being blocked by the Block UPnP Discovery rule

    Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functionalnetwork services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise class devices.

    You can allow it by opening the SEP GUI and under Network Threat Protection click Options >> Configure Firewall Rules

    Select the Block UPnP Discovery and hit Edit

    Under Action, select Allow this traffic and click OK

    You should not see the message for this rule any more.

    You can disable the notifications completely by going to NTP >> Options >> Configure Settings and on the Notification tab, select the option to not show messages. However, this will disable the message for all rules and is not really recommended. But if you do, you would need to keep a closer eye on your logs.

     



  • 3.  RE: svchost.exe traffic has been blocked by SEP Netowork Threat Protection

    Broadcom Employee
    Posted Dec 30, 2012 09:01 AM
    there should be rule for the "Block UPnP Discovery" , you need to change it. do you have any issue with teh operations, if not then let the rule be as it is.


  • 4.  RE: svchost.exe traffic has been blocked by SEP Netowork Threat Protection

    Posted Dec 30, 2012 04:49 PM

    Brian:  What do you mean by unmanaged client?  I am on a home LAN. 

     

    I cannot find that option to Configure Firewall Rules. 



  • 5.  RE: svchost.exe traffic has been blocked by SEP Netowork Threat Protection

    Posted Dec 30, 2012 06:34 PM

    It means the SEP client is not managed by a SEPM. If you're on a home LAN it is likely unmanaged.

    When you open the SEP GUI, click on options next to Network Threat Protection. You should see "Configure Firewall Rules" as one of the options.



  • 6.  RE: svchost.exe traffic has been blocked by SEP Netowork Threat Protection

    Posted Dec 30, 2012 08:08 PM
      |   view attached

    Brian, I do not see that as an option.  Here is what I see: 



  • 7.  RE: svchost.exe traffic has been blocked by SEP Netowork Threat Protection

    Posted Dec 30, 2012 08:20 PM

    Oops, I was looking in the wrong section.  Idiot me.  I will let you know if it keeps on popping up.  I will just have to wait to see.  Thanks. 



  • 8.  RE: svchost.exe traffic has been blocked by SEP Netowork Threat Protection

    Posted Dec 30, 2012 08:31 PM

    12/30/2012 8:28:49 PM    Allowed    3    Incoming    IP    192.168.0.108    00-24-2B-79-19-06    NA    224.0.0.251    01-00-5E-00-00-FB    NA        Admin    Argh0812    Default    1    12/30/2012 8:28:12 PM    12/30/2012 8:28:12 PM    Allow IGMP traffic    
    12/30/2012 8:28:49 PM    Allowed    3    Incoming    IP    192.168.0.102    A4-EE-57-4E-D4-A6    NA    224.0.0.252    01-00-5E-00-00-FC    NA        Admin    Argh0812    Default    1    12/30/2012 8:28:12 PM    12/30/2012 8:28:12 PM    Allow IGMP traffic    
    12/30/2012 8:28:49 PM    Allowed    3    Incoming    IP    192.168.0.108    00-24-2B-79-19-06    NA    239.255.255.250    01-00-5E-7F-FF-FA    NA        Admin    Argh0812    Default    1    12/30/2012 8:28:12 PM    12/30/2012 8:28:12 PM    Allow IGMP traffic    
    12/30/2012 8:28:49 PM    Allowed    3    Incoming    IP    192.168.0.1    00-1B-11-56-C2-35    NA    224.0.0.1    01-00-5E-00-00-01    NA        Admin    Argh0812    Default    1    12/30/2012 8:28:12 PM    12/30/2012 8:28:12 PM    Allow IGMP traffic    
    12/30/2012 8:28:37 PM    Blocked    3    Outgoing    UDP    FF02:0:0:0:0:0:1:2    33-33-00-01-00-02    547    FE80:0:0:0:1454:AB16:74EC:CAD2    00-10-18-EA-74-75    546        Admin    Argh0812    Default    1    12/30/2012 8:27:36 PM    12/30/2012 8:27:36 PM    Block IPv6 (Ethernet type 0x86dd)    
    12/30/2012 8:28:32 PM    Blocked    3    Outgoing    UDP    FF02:0:0:0:0:0:0:C    33-33-00-00-00-0C    1900    FE80:0:0:0:1454:AB16:74EC:CAD2    00-10-18-EA-74-75    1900        Admin    Argh0812    Default    18    12/30/2012 8:27:31 PM    12/30/2012 8:27:41 PM    Block IPv6 (Ethernet type 0x86dd)    
    12/30/2012 8:28:32 PM    Allowed    3    Outgoing    UDP    239.255.255.250    01-00-5E-7F-FF-FA    1900    192.168.0.143    00-10-18-EA-74-75    1900    C:\Windows\System32\svchost.exe    LOCAL SERVICE    NT AUTHORITY    Default    18    12/30/2012 8:27:31 PM    12/30/2012 8:27:41 PM    Block UPnP Discovery    
    12/30/2012 8:27:51 PM    Allowed    3    Incoming    TCP    192.168.0.1    00-1B-11-56-C2-35    29069    192.168.0.143    00-10-18-EA-74-75    2869    C:\Windows\system32\NTOSKRNL.EXE    Admin    Argh0812    Default    1    12/30/2012 8:26:50 PM    12/30/2012 8:26:50 PM    Allow SSDP from private IP addresses    
    12/30/2012 8:27:51 PM    Allowed    3    Incoming    TCP    192.168.0.1    00-1B-11-56-C2-35    29068    192.168.0.143    00-10-18-EA-74-75    2869    C:\Windows\system32\NTOSKRNL.EXE    Admin    Argh0812    Default    1    12/30/2012 8:26:50 PM    12/30/2012 8:26:50 PM    Allow SSDP from private IP addresses    
    12/30/2012 8:27:51 PM    Allowed    3    Incoming    TCP    192.168.0.1    00-1B-11-56-C2-35    29067    192.168.0.143    00-10-18-EA-74-75    2869    C:\Windows\system32\NTOSKRNL.EXE    Admin    Argh0812    Default    1    12/30/2012 8:26:50 PM    12/30/2012 8:26:50 PM    Allow SSDP from private IP addresses    
    12/30/2012 8:27:36 PM    Blocked    3    Outgoing    UDP    FF02:0:0:0:0:0:1:2    33-33-00-01-00-02    547    FE80:0:0:0:1454:AB16:74EC:CAD2    00-10-18-EA-74-75    546        Admin    Argh0812    Default    6    12/30/2012 8:26:35 PM    12/30/2012 8:27:05 PM    Block IPv6 (Ethernet type 0x86dd)    
    12/30/2012 8:27:11 PM    Allowed    3    Outgoing    IP    224.0.0.251    01-00-5E-00-00-FB    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:26:09 PM    12/30/2012 8:26:09 PM    Allow IGMP traffic   



  • 9.  RE: svchost.exe traffic has been blocked by SEP Netowork Threat Protection

    Posted Dec 30, 2012 08:50 PM

    12/30/2012 8:28:37 PM    Blocked    3    Outgoing    UDP    FF02:0:0:0:0:0:1:2    33-33-00-01-00-02    547    FE80:0:0:0:1454:AB16:74EC:CAD2    00-10-18-EA-74-75    546        Admin    Argh0812    Default    1    12/30/2012 8:27:36 PM    12/30/2012 8:27:36 PM    Block IPv6 (Ethernet type 0x86dd)    
     

    The "Block IPv6" rule is being triggered. You can either chose to allow it (no notification) or keep blocking it (continued notification) but it's your choice.

    Or you can choose to disable alerts altogether.



  • 10.  RE: svchost.exe traffic has been blocked by SEP Netowork Threat Protection



  • 11.  RE: svchost.exe traffic has been blocked by SEP Netowork Threat Protection

    Posted Dec 31, 2012 12:55 AM

    Ok, thank you Brian and Ashish.  Everything seems to be working smoothly (no notifications even thought I didn't disable them).  I am not getting any pop-ups anymore by disabling the block ipv6 rule and the blocking PnP.  Thanks again.